* Request: Submission of Rulesets
@ 2005-08-24 18:14 Thomas Jones
2005-08-24 21:07 ` /dev/rob0
0 siblings, 1 reply; 6+ messages in thread
From: Thomas Jones @ 2005-08-24 18:14 UTC (permalink / raw)
To: netfilter
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Greetings,
I would like to formally request end-user submission of rulesets to the
Security Document Initiative's Firewall Rule Subset ---- see the following
resource for more information http://www.buddhalinux.com.
Abstract:
The Security Document Initiative is an implementation of the domain of applied
cryptography as it relates to XML Markup Language and the creation of a
security infrastructure to protect information systems and resources.
This project is charged with developing a XML Document Type Definition
document model that Netfilter rulesets can be validated against. Any document
instance of the "Firewall Rule Subset" must be well-formed and comply with
the structured XML Markup Language. This language is being designed to
provide all VALID rule entries that are available under the netfilter
framework.
This is where you the end-user come into play. Obviously, it would take me an
untold number of days/weeks/months/years to construct a comprehensive and
stable compilation of valid rules. The compilation of the rules and rulesets
are a key step in this development process. Without, all representative rules
and rulesets; a correct and valid netfilter rule will be deemed invalid under
an improperly constructed document model. Thus, negating the purpose and
intent of the SDI Firewall Rule Subset project.
All submissions are held in complete confidentiality. You may choose to alter
your rules and/or rulesets accordingly to obfuscate and mask the original
address schemes. However, a confidentiality agreement will be made available
to interested parties. Due care and diligence will be made to ensure end-user
privacy. All submissions will be stored in encrypted form only on a
non-networked medium.
Digitally signed and/or encrypted submissions are recommended.
I would like to thank the Netfilter community in advance for their
contributions to this project.
Cheers,
Thomas Jones
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFDDLkGoR5cE1e/kEIRAsc7AJ0ctaPsMyetjFpoR5efvRrdn3B2ogCffSmu
WCf1meG+lA4VS2NZHZSo7JE=
=u4s2
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Request: Submission of Rulesets
2005-08-24 18:14 Request: Submission of Rulesets Thomas Jones
@ 2005-08-24 21:07 ` /dev/rob0
2005-08-24 22:25 ` Thomas Jones
0 siblings, 1 reply; 6+ messages in thread
From: /dev/rob0 @ 2005-08-24 21:07 UTC (permalink / raw)
To: netfilter
On Wednesday 2005-August-24 13:14, Thomas Jones wrote:
> Abstract:
I readily admit that this is not a good day for me. I am not operating
at full capacity, so to speak. But I have to say that this post made no
sense at all to me. Is it just me? Did anyone else understand it? If
so, can you explain it?
> The Security Document Initiative is an implementation of the domain
> of applied cryptography as it relates to XML Markup Language and the
> creation of a security infrastructure to protect information systems
> and resources.
I once saw an online automated generator of scholarly papers. It was
hilarious! It used language just like this.
> This project is charged with developing a XML Document Type
> Definition document model that Netfilter rulesets can be validated
> against. Any document instance of the "Firewall Rule Subset" must be
> well-formed and comply with the structured XML Markup Language. This
> language is being designed to provide all VALID rule entries that are
> available under the netfilter framework.
Okay, I think I see a little substance here. The poster wants something
which lists every possible valid netfilter rule. Right?
Unfortunately, the list of valid rules is almost infinite. And what's
valid may vary in context: what's available in the kernel, other rules
in the chain, et c. "iptables I OUTPUT -j LOG" is a valid rule (rather
unfortunate if the local syslogd is logging to a remote syslog server,
as each packet generates another one ad infinitum), but only valid if
the LOG target is available.
> This is where you the end-user come into play. Obviously, it would
> take me an untold number of days/weeks/months/years to construct a
> comprehensive and stable compilation of valid rules. The compilation
It's not even possible.
> of the rules and rulesets are a key step in this development process.
> Without, all representative rules and rulesets; a correct and valid
> netfilter rule will be deemed invalid under an improperly constructed
> document model. Thus, negating the purpose and intent of the SDI
> Firewall Rule Subset project.
Perhaps the purpose and intent of the SDI Firewall Rule Subset project
should be reevaluated.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: Request: Submission of Rulesets
2005-08-24 21:07 ` /dev/rob0
@ 2005-08-24 22:25 ` Thomas Jones
2005-08-24 22:36 ` /dev/rob0
0 siblings, 1 reply; 6+ messages in thread
From: Thomas Jones @ 2005-08-24 22:25 UTC (permalink / raw)
To: netfilter
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wednesday 24 August 2005 16:07, /dev/rob0 wrote:
> On Wednesday 2005-August-24 13:14, Thomas Jones wrote:
> > Abstract:
>
> I readily admit that this is not a good day for me. I am not operating
> at full capacity, so to speak. But I have to say that this post made no
> sense at all to me. Is it just me? Did anyone else understand it? If
> so, can you explain it?
>
>
> I once saw an online automated generator of scholarly papers. It was
> hilarious! It used language just like this.
Hehehe. Ok...lets make it simple for you. Various security documentation is
composed using a custom XML markup language. Depending on the content,
modules are included or excluded. Given that these document instances are
security in nature they can be secured by a digital signature, encryption, or
both.
>
> Okay, I think I see a little substance here. The poster wants something
> which lists every possible valid netfilter rule. Right?
Seemingly, you are the the person to do this feat? Realistically, I don't
expect you or anybody else to have knowledge of all the rules. I have already
developed the basic structure of the DTD. I just want to do some QA on various
rulesets that I have not applied it to.
>
> Unfortunately, the list of valid rules is almost infinite. And what's
> valid may vary in context: what's available in the kernel, other rules
> in the chain, et c. "iptables I OUTPUT -j LOG" is a valid rule (rather
> unfortunate if the local syslogd is logging to a remote syslog server,
> as each packet generates another one ad infinitum), but only valid if
> the LOG target is available.
>
The scenario you describe is what is called a conditional statement. Pretty
self-explanatory with regards to an XML DTD(or many other disciplines for
that reason).
>
> It's not even possible.
>
This statement is rather benign. Going back to your conditional statement
scenario; the DTD is constructed like that of a programming language. It can
be developed by means of pseudo-functions. An element may contain another, so
on so forth. This is surely within the intended scope and capability.
>
> Perhaps the purpose and intent of the SDI Firewall Rule Subset project
> should be reevaluated.
Because you do no not fully understand does not make it wrong.
How do you know what I don't know? You are not me.
- ---Zhuang Zi - The Warring States Period
Cheers,
Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFDDPPHoR5cE1e/kEIRAkM0AJ9KGwqKuzMCJjsm8oQ3RXHK43MVJgCfaqR7
nuf6UbusppcBeD62jfqcmVY=
=qsSS
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Request: Submission of Rulesets
2005-08-24 22:25 ` Thomas Jones
@ 2005-08-24 22:36 ` /dev/rob0
2005-08-24 22:48 ` Thomas Jones
0 siblings, 1 reply; 6+ messages in thread
From: /dev/rob0 @ 2005-08-24 22:36 UTC (permalink / raw)
To: netfilter
On Wednesday 2005-August-24 17:25, Thomas Jones wrote:
> > I once saw an online automated generator of scholarly papers. It
> > was hilarious! It used language just like this.
>
> Hehehe. Ok...lets make it simple for you. Various security
You really should Google that. It was loads of fun. I generated some
scholarly papers under my name and sent them to colleagues "for review
and comment." They were ashamed to admit that it was all a bunch of
gibberish to them. I laughed for days. :)
If I could remember the URL I would post it.
> > Okay, I think I see a little substance here. The poster wants
> > something which lists every possible valid netfilter rule. Right?
>
> Seemingly, you are the the person to do this feat? Realistically, I
> don't expect you or anybody else to have knowledge of all the rules.
> I have already developed the basic structure of the DTD. I just want
Ah, *that* was the piece I was missing. You are accepting the rulesets
submitted as valid (probably) and are simply using them to test your
DTD. Is that it? I thought you were compiling it from the submitted
rulesets, and that, I guess we agree, is not possible.
> Because you do no not fully understand does not make it wrong.
I still don't, but at least the gibberish issue is cleared up. :)
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: Request: Submission of Rulesets
2005-08-24 22:36 ` /dev/rob0
@ 2005-08-24 22:48 ` Thomas Jones
[not found] ` <8d48b6ba050824174131a2bbd3@mail.gmail.com>
0 siblings, 1 reply; 6+ messages in thread
From: Thomas Jones @ 2005-08-24 22:48 UTC (permalink / raw)
To: netfilter
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wednesday 24 August 2005 17:36, /dev/rob0 wrote:
>
> If I could remember the URL I would post it.
>
If you find it forward it to me. Sounds like it could be an interesting
trick or two.
>
> Ah, *that* was the piece I was missing. You are accepting the rulesets
> submitted as valid (probably) and are simply using them to test your
> DTD. Is that it? I thought you were compiling it from the submitted
> rulesets, and that, I guess we agree, is not possible.
>
Some of the targets and matches located in the extra repository have not been
introduced. These will definitely take some work. Altough progress has been
made, I am sure that I have neglected various syntactical portions of the
netfilter framework.
>
> I still don't, but at least the gibberish issue is cleared up. :)
Fair enough. ;)
Cheers,
Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFDDPlAoR5cE1e/kEIRAnTvAJ9MdKaDz6DME9g7XQRhK9ZfCHq8fQCcDQJq
Y9zJBZ5HNohUBV8e0eg/D7Y=
=h+/H
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2005-08-25 0:42 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-08-24 18:14 Request: Submission of Rulesets Thomas Jones
2005-08-24 21:07 ` /dev/rob0
2005-08-24 22:25 ` Thomas Jones
2005-08-24 22:36 ` /dev/rob0
2005-08-24 22:48 ` Thomas Jones
[not found] ` <8d48b6ba050824174131a2bbd3@mail.gmail.com>
2005-08-25 0:42 ` Fwd: " Shannon Roddy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.